Blog

It’s not a question of “if” but “when.” In the past, corporate information security meant firewalls, strong passwords, virus protection, operating system updates, and physical security. While all of these techniques are still important, in an age of massively interconnected systems these basic security measures are no longer enough.

Information security is not just a theoretical concern. Last week NetworkWorld reported that many companies experience significant financial losses as a result of online security breaches, and the cost is going up:

In its study of 43 companies that suffered a data breach last year, the Ponemon Institute found the total cost of coping with the consequences rose to $6.6 million per breach, up from $6.3 million in 2007 and $4.7 million in 2006.

According to the founder of Whitehat Security, publicly-accessible Web applications have become the biggest attack vectors for information security professionals:

It’s unanimous. Web application security is the #1 avenue of attack according to basically every industry data security report available (IBM, Websense, Sophos, MessageLabs, Cisco, APWG, MITRE, Symantec, Trend Micro, SecureWorks, ScanSafe, IC3).

The two most critical attack vectors are well known and have been around for years, but they still plague Web application developers: SQL Injection and Cross Site Scripting (XSS) attacks. Unlike viruses or operating system vulnerabilities, there is no “patch” that can be applied to protect your organization from these attacks.

The best protection is to use current, well-tested frameworks for Web application development, and closely analyze your existing Web applications. In either case this could require extensive development effort to update existing applications, as well as careful monitoring of best practices such as unit tests and code reviews to ensure new development does not re-introduce vulnerabilities. Sounds like a lot of work, doesn’t it? Unfortunately, there is no quick fix to this security challenge, especially for organizations with a large investment in older Web-based applications that may have unknown security vulnerabilities.

However, there is an alternative: software-as-a-service (SaaS). By transitioning your Web applications to third-party online providers, you eliminate the need to maintain and monitor your organization’s internal Web application security. Plus, you gain the benefit of on-demand software from any location with no server or network infrastructure to maintain. Better security and lower operational costs? Seems like a no-brainer to me.